Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix).
Evertec is a public financial technology giant that stands as a major full-service transaction processor in Latin America, Puerto Rico, and the Caribbean.
Sinqia, acquired by Evertec in 2023, is a São Paulo-based public company operating in financial software and IT services for the banking and financial industry.
Evertec disclosed in a filing to the U.S. Securities and Exchange Commission (SEC) that hackers breached Sinqia’s systems on August 29 and attempted to conduct unauthorized transactions.
“On August 29, 2025, Sinqia S.A., a Brazilian subsidiary of EVERTEC, Inc., identified unauthorized activity in its environment of the Brazilian Central Bank real-time payment system known as Pix,” reads the SEC filing.
“Upon detecting the incident, and in accordance with its incident response protocol, Sinqia halted transaction processing in its Pix environment and began working with outside cybersecurity forensics experts.”
Pix is Brazil’s instant payments system, launched by the Central Bank of Brazil in November 2020, allowing 24/7 instant fund transfers.
It has become the most widely used payment method in Brazil, and is often targeted by Android banking malware.
The hackers attempted to perform unauthorized business-to-business transactions involving two financial institutions that are customers of Sinqia.
Local media outlets implicated the HSBC bank, while a spokesperson from the bank underlined that this incident has not impacted customer funds or data.
Evertec notes that part of the $130 million has already been recovered, without mentioning how much, with recovery efforts still contining.
Investigation into the incident showed that the hackers gained access to Sinqia’s Pix environment by using stolen credentials for an IT vendor’s account.
Evertec has no indication that the impact extends beyond Sinqia’s Pix environment, and no evidence that personal data has been exposed.
Currently, Sinqia’s access to Pix has been revoked by the Central Bank of Brazil, but the company is working towards quick restoration by providing all the required details and assurances to the authorities.
Regarding the financial impact, Evertec notes that Sinqia’s Pix environment supports the operations of 24 financial institutions in Brazil.
“The financial and reputational impact of the incident, including any impact on the Company’s internal controls, are not yet known and could be material,” notes the company.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
